[UNIX] WordPress Cafelog SQL Injection Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[NEWS] Fortigate Firewall Inadequate Log Filtering" 
    To: list@securiteam.com
Date: 9 Oct 2003 15:51:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WordPress Cafelog SQL Injection Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://wordpress.org/> WordPress is "a semantic personal publishing
    platform with a focus on aesthetics, web standards, and usability". The
    WordPress Cafelog has been found to contain an SQL Injection vulnerability
    due to its inadequate filtering of incoming user data.

    DETAILS

    Vulnerable Versions:
     * CVS versions before October 1, 2003
     * Vulnerability affects code inherited from b2, so all versions of
    WordPress released before CVS fix are affected and many versions of b2 are
    affected.

    A number of SQL injection vulnerabilities have been fixed that could allow
    arbitrary SQL to be injected if one has local access to the filesystem the
    database can access (using 'source filename.sql;'). ''', '"', '\' are all
    filtered, and ' ' is munged into SQL constructs before injection, so %09
    (tab char) can be used where spaces would normally be in the SQL string
    one wishes to inject. The problem affects the category (cat) and order by
    (order_by) code. The author (author) code was almost vulnerable, except
    for a small bug that mis-converted author to an integer before string
    processing. The problems are located in the blog.header.php file, and a
    patch is included below (provided by the authors) that fixes the
    vulnerabilities and includes general bug fixes and code cleanup. Any SQL
    string not including quotes or a backslash can be injected through the URL
    (i.e. 'drop table foo;').

    Patch:
    A patch is available for download from:
    <http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u

    Exploit:
    The following is an example URL:
    http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1

    Exploit example exposes private posts. Dropping tables should be trivial,
    especially using the order_by flaw.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:seth@tautology.org> Seth
    Woolley.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Fortigate Firewall Inadequate Log Filtering"

    Relevant Pages